The Green Sheet Online Edition

July 27, 2009 • Issue 09:07:02

Moving the needle on level 4 merchants

By Joan Herbig
ControlScan

Since the Oct. 1, 2008, deadline requiring all newly boarded merchants to be Payment Card Industry (PCI) Data Security Standard (DSS) compliant or to use Payment Application (PA) DSS-compliant applications, hundreds of processors, banks and ISOs have launched PCI compliance programs for their level 4 merchant portfolios. (The PA DSS was formerly known as PA Best Practices [PABP]).

While this is a great start, a huge uphill battle remains. By most estimates, fewer than 10 percent of the level 4 merchant population has attested to compliance with the PCI DSS.

This represents an ongoing challenge for acquirers, who bear the ultimate risk for noncompliance. In fact, according to an Aite Group LLC report, 43 percent of acquiring executives rate security and PCI compliance as the top challenge for their sector.

The key to moving the needle on this statistic is for acquirers and ISOs to develop comprehensive and highly targeted merchant outreach programs.

The first 90 days

Since most small merchants still don't understand or know about PCI compliance and how it impacts their businesses, it is critical to launch broad awareness and engagement campaigns at the beginning of a program. These campaigns help educate and prepare merchants for the compliance process.

If you are charging a fee for your PCI compliance program, education on the front-end is even more vital. Surprising merchants with a compliance fee before they have had a chance to understand the importance and value of compliance can negatively impact the program and your relationships with your merchants.

Because it is not well understood, PCI compliance is not a priority for most small merchants, so successful programs should begin with a series of touch points to engage merchants. Your campaign strategy should include:

• Frequently asked questions
• Statement inserts or messages
• E-mail campaigns
• Dedicated direct mail campaigns
• Telephone outreach

The 90-day plan shouldn't be focused on merchants alone; also devise training plans and support materials for merchant-facing employees, such as customer service reps, sales agents and so forth. Regardless of whether you run the compliance program yourself or outsource it, many merchants will call your company to find out if the program is legitimate or to ask for clarification.

Be prepared to answer basic questions about PCI compliance and to handle common objections. And keep in mind that, if your team isn't aligned on the program and the messaging, you will confuse and frustrate your merchants.

If you follow a similar comprehensive communication plan to the one just described you will typically see an initial burst in your portfolio's compliance rates during the first 90 days of the program; then the compliance rates will begin to slow down. So, how do you maintain the momentum?

Target messages and campaigns

Once you complete the launch phase of your PCI compliance program, the next step is to analyze the results and identify key segments of your merchant portfolio to which you should target additional outreach.

The campaigns may be a mix of three target categories based on compliance milestones, merchant classification code and self assessment questionnaire (SAQ) type.

Unfortunately there is not a one-size-fits-all approach to targeting at this point. The results of your initial campaign efforts will dictate the best targeting methods for your portfolio.

Creating campaigns targeted to merchants based on their progress, or lack thereof, during the PCI compliance process creates an opportunity to provide tips to accelerate merchants' compliance efforts. Examples of such targeting include:

• Disengaged merchants: This is a point at which you should employ sterner language in your communications to convey a sense of urgency. Some acquirers have also instituted noncompliance fees as penalties.

  While more directive, the message targeted to this group of merchants should include instructional language, focusing on the basic steps merchants must take to complete the process, which will make compliance feel less daunting.

• Stuck merchants: First, conduct analysis to determine the average length of time it takes your compliant merchants to complete the PCI compliance process. For best results, this should be done by SAQ type. Once you have this data, launch a calling campaign targeted to merchants who have started the process but haven't become compliant within your average time frames.

  In many cases these merchants are hung up on a specific area of the SAQ or working toward remediation for noncompliance with a PCI DSS requirement. By calling merchants you have the opportunity to guide them through any issues encountered and help them complete the attestation process.

• Use of merchant classification codes and categories: To drive more relevant messages also consider targeting your campaigns to specific merchant groups. Each merchant group has different motivations and varying degrees of understanding of PCI compliance.

  For example, an e-commerce merchant could be very familiar with security and the need for Web site scans, but not be very aware of his or her PCI obligations.

  Contrast this to a nail salon that may not even have a computer and has no understanding of the basic tenets of security. Think about the distinct characteristics of segments within your merchant portfolio so your communications resonate with the targeted audience.

  Your small-merchant portfolio may also consist of a high percentage of a particular merchant classification. This is an opportunity for you to create a targeted campaign that speaks specifically to merchants within this group or keeps their unique circumstances in mind.

  For example, if you have a significant population of restaurants in your portfolio, you don't want to launch a calling campaign during their peak serving hours. You can also leverage industry statistics and trends to help specific merchant groups understand where they are most vulnerable or use the information to target the highest risk groups in your portfolios.

• Compliant merchants approaching annual re-attestation: When you set up your program, don't forget that PCI compliance is not a one-time event. Each year your merchants need to complete the SAQ and attest to compliance with the PCI DSS. Be sure to remind these merchants at least two months prior to their renewal dates.

  Set the expectation in advance that if these merchants haven't changed their credit card data handling dramatically, they should be able to leverage their previous SAQ responses to expedite the process.

SAQ type

Following are suggestions for targeting campaigns based on SAQ type:

• Set up expectations on the front-end. Nearly 80 percent of small merchants fall into SAQ Validation Types 1, 2 or 3, which means they are required to complete SAQ forms A or B. The good news for these merchants is they will only have to complete an 11- or 25-question questionnaire. Having this kind of information will allow you to help these merchants understand that their task is easily manageable and can be completed quickly.

• Since most small merchants don't have security policies or security awareness training in place, consider providing these services as part of your overall PCI compliance program.

  They are both part of the PCI DSS, and providing them takes a burden off of your merchants' shoulders, thereby reinforcing the service aspect to your PCI program.

• For merchants who require vulnerability scanning (SAQ forms C and D), you may need to follow up with them to ensure they actually completed a scan.

  Require documentation that validates that these merchants completed their scans, and if they haven't, recommend or refer a scanning vendor so the merchant can complete the PCI compliance process at the point of initial engagement.

• Also, make sure you work with an Approved Scanning Vendor (ASV) listed by the PCI Security Standards Council. An ASV must supply the quarterly certification of a passing scan. Most ASVs offer technical support to help merchants complete the process. This usually includes clarification of scan results and assistance with remediation for cases in which a merchant's scan reveals dangerous vulnerabilities.

The right direction

PCI provides a security "compass" to level 4 merchants for whom security is generally not a priority. As such, it ensures that merchants are implementing the basic systems, processes and policies needed to protect cardholder data on an ongoing basis. Regular, targeted communications can keep PCI compliance a priority so that, instead of becoming an annual ordeal for your merchants, it becomes an everyday part of doing business.

Joan Herbig is Chief Executive Officer of ControlScan. She has more than 20 years' experience in the high-tech world and serves on the Electronic Transactions Association's Risk and Fraud committee. Contact her at jherbig@controlscan.com or 800-825-3301.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.